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(54) Abstract Title 

Portatrfe data carrier memory management system and method 

(57) A portable data carrier 1 (eg. ic card, smart card, chip card) includes a processor 2 having privileged 3 
and non-privifeged 4 modes of operation. A memory 10 is divided into a plurality of pages 11 12 13 14 each 
rXl^Srf- °^ ^ ."'Jf of security levels associated therewith. A Memory Management 

Urrtt (MMU) 5 IS coupled to thfe processor 2Wd to the memojyTOto^ - 
pages of the memory according to the security level of the page that the memory is trying to access fn 
privileged mode the processor unit 2 can set control register 6 in the MMU 5 and thus alter the security levels 
assodafted with each page of memory. In the given embodiment a hardware switch 7 is used to determine the 
operating mode of the processor. The memory may consist of RAM, ROM and/or EPROM 
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Portable Data Cairier Memory Management System and Method 

Field of the Invention 
This invention relates to a method and apparams for managing a 
5 memory in a portable data carrier. 

Backgroimd of the Invention 
Conventional portable data carriers (e.g. smartcards or chip cards) often have 
more than one software application loaded thereon, such as different banks' account 
access software, personal data, electronic purse, or other applications, each application 
10 having a security function associated with it. The applications are stored in a memory 
on a chip in the smartcard, on which chip are usually also located the processor which 
controls the operation of the smartcard, and other electronic circuits providing other 
functionality. 

Different applications may well have differait security levels and, even within 
1 5 each application, different parts of the application and different data^may have different 
security levels. Thus, different parts of the memory need to have different security 
levels to allow or restrict access thereto. 

Brief Summary of the Inventi on 
The present invention therefore seeks to provide a method and apparatus for 

managing^^nemory in a portable data carrierwhichovercomeroratleast Teduce^ft^^ 
above-mentioned problems of the prior art 

Accordingly, in one aspect, the invention provides a portable data carrier 
comprising a processor havii^ privileged and non-privileged modes of operation, a 
memory divided into a plurality of blocks, each block having one of a predetermined 
number of security levels associated therewilh, and a Memory Management Unit 
(MMU) coupled to the processor and to the memory to control access of the processor to 
the memory according to the mode in vMch the processor is operating and the security 
level of the memory block that the mOTiory is tryit^ to access. 

Preferably, the blocks into which the memory is divided are pages and the MMU 
is a Paged Memory Management Unit (PMMU). 

In a preferred embodiment, the PMMU restricts access of the processor to the 
pages of the memory when the processor is operating in the non-privileged mode to only 
those pages that have a predetennined subset of the predetermined number of security 
levels. 

Preferably, the predetermined number of security levels is five, a first security 
level allowmg access to the page of memory or not, a second security level allowing 
reading of the page of memory or not, a third security level allowing reading and writing 
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of the page of memory or not, a fourth security level allowing reading and executing of 
the page of memory or not. and a fifth security level allowing reading, writing and 
executing of the page of memory or not. 

The processor preferably includes a hardware switch for switching between the 
5 privileged and non-privileged operating modes. 

In one embodiment, the PMMU comprises at least one register having a plurality 
of bits, each bit corresponding to a page of the memory, a bit value of each bit providing 
an indication of the security level of the corresponding page. 

Preferably, the PMMU comprises at least three registers, a first register having a 
1 0 plurality of bits whose bit values indicate whether the corresponding page of the 

memory can be accessed or not, a second register having a plurality of bits whose bit 
values indicate whether the corresponding page of the memory can be written to or not, 
and a third register having a plurality of bits whose bit values indicate whether the 
corresporufing page of the memory can be executed to or not 
1 5 Preferably, bits in the second and third registers are only utilised if the bits in the 

first registo- corresponding to the same page have bit values indicating that the page can 
be accessed. 

The memory can comprise an Electrically Erasable Programmable Read Only 
Memory (EEPROM), a Random Access Memory (RAM) and/or a Read Only Memory 

20 (ROM). " - 

According to a second aspect, the invention provides a method of managing a 
memory in a portable data carrier also including a processor and a Paged Memory 
Management Unit, the memory being divided into a plurality of pages, the method 
comprising the steps of entering a privileged mode of operation of the processor, writing 
25 one of a plurality of predetermined security levels in the PMMU for at least one of the 
pages of the memory, exiting the privileged mode of operation of the processor, entering 
a non-priviieged mode of operation of the processor, requesting access to at least one 
page of the memory by the processor to tiie PMMU, utilising the PMMU to detemiine 
the security level of the at least one page in the memory to which the processor has 
30 requested access, selectively accessing the at least one page of memory based on the 
security level determined by the PMMU, and exiting the non-privileged mode of 
operation of the processor. 

In a preferred embodiment, the step of selectively accessing the at least one page 
of memory comprises accessing the at least one page of memory ■when the security level 
35 of the page is within a predetermined subset of fte predetennined number of security 
levels. 
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Preferably, the predetermined number of security levels is five, a first security 
level allowing access to the page of memory or not, a second security level allowing 
reading of the page of memory or not, a third security level allowing reading and writing 
of the page of memory or not, a fourth secority level allowing reading and executing of 
the page of memoiy or not, and a fifth security level aUowing reading, writing and 
executing of the page of memory or not. 

The steps of entering and exiting the privileged and non-privileged modes of 
operation of the processor preferably comprise utilising a hardware switch in the 



* In one embodiment, the step of writing one of a plurality of predetermined 

security levels in the PMMU comprises setting a bit value of a bit in at least one register 
in the PMMU for each page of the memory for which a security level is to be written. 

Preferably, the step of writing one of plurality of predetermined security levels in 
the PMMU comprises setting a bit value of a corresponding bit in each of three registers 
in the PMMU for each page of the memory for which a security level is to be written, the 
bits in a first register indicating whether the con-esponding page of the memoiy can be 
accessed or not. the bits in a second register indicating whether the corresponding page 
of the memory can be written to or not, and the bits in a third register indicating whether 
the corresponding page of the memory can be executed to or not. 

The step of utilising the PMMU to detemiine the security level preferably 
comprises utilising the bit in the first register corresponding to the at least one page to be 
accessed, and only utUising Uie corresponding bits in the second and third registers if flie 
bit value of the bit in the first register indicates that the page can be accessed. 

Brief Description of the Drawings 
One embodiment of the invention will now bemore fiilly described, by way of 
example, witib reference to fihe drawings, of which: 

FIG. 1 shows a smartcard chip having a number of components and logical 
access channels between those components; 

FIG. 2 shows a conceptual representation of the contents of a memory in the 
smartcard chip of FIG. 1. with a division of access between an operating system and 
various applications stored in the memoiy; and 

FIGS. 3, 4 and 5 show examples of a control mechanism for managing the 
memory in the smartcard chip of FIG. 1 . 

Detailed Description of the Drawings 
As shown in HG. I, in one embodiment of the present invention, a smartcard 
chip 1 includes a number of physical components, which are shown schematically as a 



processing unit 2, a memory management unit 5 and a meraoiy unit 10. The processing 
unit 2 is used to execute programs which are stored in the memory unit 1 0. 

A stored program may cause the processing unit 2 to access data, which is also 
contained in the memory unit 10. All accesses from the processing unit 2 to the memory 
unit 10 must occur via the memory management unit 5, via channels 21 and 22 in FIG. 
1. Thus, no physical access paths exist directly from the processing unit 2 to the 
memory unit 10. 

Among its capabilities, the processing unit 2 has two operating modes. In a 
more privileged mode 3, the processing unit 2 is allowed to set control registers 6 in the 
memory management unit 5 using a relatively secure channel 20 and in a less privileged 
mode 4, the processing unit 2 is not allowed to alter the way the memory management 
unit 5 operates, but can only access the memory unit 10 via the channels 2! and 22. A 
hardware switch 7 is provided wifhin the processing unit 2 to switch between the more 
privileged and less privileged modes. 

The memory unit 1 0 is divided into blocks, or pages, 1 1 , 1 2, 1 3 and 14. When 
the processing unit 2 actesses the memoiy it must specify the page of memory to be 
accessed, and the type of access required. The memoiy management unit 5, which can 
be a so-called Paged Memory Management Unit (PMMU), can then grant or deny access 
leased on whether its control registers pennit the processing unit 2 to have the requested 
type of access at that particular point of time. ~ 

It will be appreciated that because it is possible for a program operating in the 
more privileged mode to modify the control registers of the PMMU 5, this form of 
access control is only effective when the processing unit 2 is operating in the less 
privileged mode. 

Although FIG. 1 shows the memory unit 10 divided into four pages, it will be 
appreciated that the present invention applies to a memoiy unit divided into a number of 
blocks, not necessarily only four. 

FIG. 2 shows a practical example of the use of the memory unit 10 of FIG. 1. 
In FIG. 2, a memory 50 is depicted in an "onion" diagram. At the centre of the diagram 
is a page of memory 5 1 which is private to the operatbg system. The operating system 
is able to execute in the more privileged mode of the processing unit 2, and thus is able 
to access the whole of memoiy 50, in addition to its private page 51. In addition to the 
operating system, there are two applications, called "A" and "B". Application A has 
access to a particular page of memoiy 52 and application B has access to another block 
of memory 53. A further block of memory 54 is accessible to both applications A and 
B. The remainder of manoiy 55 is free or used by other plications. 
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FIGS. 3, 4 and 5 show an operational scenario in which the smart card chip 
described above with reference to FIG. 1 possessing the memory described above with 
reference to FIG. 2 can be used to implement paged memory protection. The memory 
can consist of a Random Access Memory (RAM), a Read-Only Memory (ROM), an 
5 Electronically Erasable Programmable Read-Only Memory (EEPROM), or any other 
type of memory which is divided into pages, which can have different security levels 
associated therewith. 

For example, the smartcard chip can be implemented having an M-Core 
processor core, together with a PMMU and RAM, ROM and EEPROM manoiy, 
10 together with a set of device registers providing control of the PMMU, as manufactured 
by Motorola, Inc. 

Thus, as shown in FIGS. 3, 4 and 5. the PMMU contains a set of three register 
170, 175 and 180 in FIG. 3. 270, 275 and 280 in FIG. 4, and 370, 375 and 380 in FIG. 5, 
which control access to the EEPROM pages 190, 290 and 390, respectively, of the 
1 5 memory. Each of the registers consists of 64 bits, with each bit being associated with a 
particular page in the EEPROM memory portion. It will be appreciated that the size of 
the register depends on the number of pages into which the portion is divided. Each 
portion of memory of a differrait type Avili have its own set of registers, but, for clarity, 
only one set controlling access to the EEPROM memory portion is shown. 

- — ^e fiist register is an *'Access*' register, whit* provides a first level of security 

either allowing or restricting access to the particular pages of the memory. If the bit 
value for a particular page is "1", access is granted to that page, but if the bit value is 
"0", access is denied. 

The next register is a "Write" register, which provides a second level of security 
25 either allowing or denying write operations to the particular pages of memory. Thus, if 
the bit value for a particular page is "1" then both read (access) and write operations are 
permitted on that page. If the bit value is "0", then write operation are not permitted, but 
read (access) operations are permitted on that page. These operations are only permitted 
if access to the page has been granted by the EEPROM "Access" register. 
30 The third register is an "Execute" register providing a third level of security 

either allowing or restricting execute operations to be performed on the code on the 
particular page. If the bit value for a particular page is "1" then native code may execute 
from that page. However, if the bit value is "0", native code may not execute from that 
page. Again, execution is only permitted if access to the page has been granted by the 
35 EEPROM "Access" register. 
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Each of FIGS. 3, 4 and 5 show the PMMU registers at a particular moment in 
time providing up to five different levels of security in total for the pages of the 

EEPROM memory. 

FIG. 3 shows the state of the registers when an Application A has control of the 
processor. By looking at which bits in the "Access" register 170 have values of "0" or 
"1", the access rights to particular pages in the EEPROM memory 190 can be 
determined. Thus, as shown, "Access" register 170 specifies that Application A can 
read from pages containing application A data, in this case only one such page 102 being 
shown, pages 104 and 1 05 having application A code and one or more pages 1 1 1 having 
shared data. None of the other pages in the memoiy 1 90 cannot be accessed by the 



The "Write" register 175 specifies which of the accessible pages, as determined 
from the "Access" register 170, can be written to. Thus, as shown, application A can 
write to the page 102 containing appUcation A data and to the page 1 1 1 containing 
: shared data, but not to the pages 104 and 105 containing application A code. Similarly, 
the "Execute" register 180 specifies which of the accessible pages, as determined from ' 
the "Access" register 1 70, can be executed. Thus, as shown, the pages 104 and 105 
containing application A code are the only pages permitted to execute. 

Any other form of acces s will cause an exception, returning control to the 
operating system. Thus, application B does not have to "trust" application^ in ot^^^^^^^^ 
them both to occupy the same smartcard securely. Any faihire or even deliberate 
corruption of application A cannot aifect application B, except through the defined 
shared data page 111. 

FIG. 4 shows the state of the registers when application B has control In this 
case, the "Access" register 270 specifies that the application B can access page(s) 203 
containing application B code, the pages 207, 208 and 209 containing application B data 
and the page 211 containing shared data. The "Write" register 275 specifies that, of the 
pages that application B can access, the application can write to the pages 207, 208 and 
209 containing application B data and to page 21 1 containing shared data, but not to 
page 203 containing application B code. Similarly, tfie "Execute" register 280 specifies 
that, of the pages that appKcation.B can access, the application can only execute the page 
203 containing application B code. 

Again, any other form of access will cause an exception, meaning that 
application A does not have to "trasf * ^plication B. 

Finally, FIG. 5 shows the state of the registers when a less privil^ed portion of 
the operating system, such as an unprivileged service routine has control. In tiiis case, 
the "Access" register 370 and the "Write" register 375 specify that the unprivileged 
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service routine can read from and vvrite to page 301 containing operating system private 
data and page 311 containing shared data, but no access to other portions of the memory 
is allowed. The "Access" register 370 and the "Execute" register 380 specify that the 
unprivileged service routine cannot execute any pages in the memory 390. 

Thus, the applications do not have to "trust" this portion of the operating 
system. Clearly, because it can update the PMMU register, the more privileged portion 
of the operatuig system can read from, write to and execute any portion of memory, and 
thus has to be "trusted" by al! ^plications. 

The embodiment of the invention described above therefore provides a 
mechanism whereby different applications or different parts of an ^plication which 
execute on a smartcard chip have limited access to various sections of memory based on 
the security level of the application or part thereof and the security level of the section of 
memory being accessed. 

It will be appreciated that although only one particular embodiment of the 
invention has been described in detail, various modifications and improvements can be 
made by a person skilled in the art without departing from the scope of the present 
invention. For example, although the embodiment described above has three registers 
providing up to five levels of security: 
1. No Access; 

2. Read Only? : 

3. Read and Write; 

4. Read and Execute; 

5. Execute, Read and Write, 

different numbars of security levels can easily be provided by providing different 
numbers of registers. 
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1 . A portable data carrier comprising: 

a processor having privileged and non-privileged modes of operation; 
5 a memoiy divided into a plurality of blocks, each block having one of a 

predetermined number of security levels associated therewith; and 

a Memory Management Unit (MMU) coupled to the processor and to the 
memory to control access of the processor to the memory according to the mode in 
which the processor is operating and the security level of the memoiy block that the 
1 0 processor is trying to access. 



2. A portable data carrier according to claim I, wherein the blocks into which the 
memory is divided are pages and the MMU is a Paged Memoiy Management Unit 
(PMMU). 

3. A portable data carrier according to claim 2, wherein the PMMU restricts access 
of the processor to the pages of the memory when the pn>cessor is operating in the non- 
privileged mode to only those pages that have a predetermined subset of the 
predetermined number of security levels. 



4. A portable data carrier according to claim 3, wherein the predetennined mimber 
of security levels is five, a first security level allowing access to the page of memoiy or 
not, a second security level allowing reading of the page of memory or not, a third 
security level allowing reading and writing of the page of memory or not, a fourth 
security level allowing reading and executing of the page of memoiy or not, and a fifth 
security level allowing reading, writing and executing of the page of memory or not. 

5. A portable data carrier according to claim 1 , wherein the processor includes a 
hardware switch for switching between the privileged and non-privileged operating 
modes. 



6. A portable data earner according to claun 2, wherein the PMMU comprises at 
least one register having a plurality of bits, each bit coiresponding to a page of the 
memoiy, a bit value of each bit providing an indication of the security level of the 
corresponding page. 



7. A portable data carrier according to claim 6, wherein the PMMU comprises at 
least three registers, a first register having a plurality of bits whose bit values indicate 
whether the corresponding page of the memory can be accessed or not, a second register 
having a plurality of bits whose bit values indicate whether the corresponding page of 
the memory can be written to or not, and a third register having a plurality of bits whose 
bit values indicate whether the corresponding page of the memojy can be executed to or 
not. 

8. A portable data earner according to claini 7, wherein bits in the second and third 
registere are only utilised if the bits in the &st register corresponding to the same page 
have bit values indicating fJiat the page can be accessed. 

9. A portable data carrier according to claim 1 , wherein tKe memoiy comprises an 
Electrically Erasable Programmable Read Only Memory (EEPROM). 

1 0. A portable data carrier according to claim I , wherein the memory comprises a 
Random Access Memory (RAM). 

n . A portable data carrier according to claim 1 , wherein the memory comprises a 
ReadOnly^Memoiy (ROM). - 

12. A method of managing a memory in a portable data carrier also including a 
processor and a Paged Memoiy Management Unit, the memory being divided into a 
plurality of pages, the method comprising the steps of: 

esntering a privileged mode of operation of the processor; 

writing one of a plurality of predetermined security levels in the PMMU for at 
least one of the pages of the memory; 

exiting the privileged mode of operation of the processor; 

entering a non-privileged mode of operation of the processor; 

requesting access to at least one page of the memory by the processor to the 
PMMU; 

utilising the PMMU to detennine the security level of the at least one page in the 
memory to which the processor has requested access; 

selectively accessing the at least one page of memory based on the security level 
determined by the PMMU; and 

exiting the non-privileged mode of operation of the processor. 
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13. A method of managing a memory according to claim 12, wherein the step of 
seiectively accessing the at least one page of memory comprises: 

accessing the at least one page of memory when the security level of the page is 
within a predetermined subset of the predetermined number of security levels. 

5 

34. A method of managing a m^ory according to claim 13, wherein the 
predetermined number of security levels is five, a first security level allowing access to 
the page of memory or not, a second security level allowing reading of the page of 
memory or not, a third security ieve! allowing reading and writing of the page of 
1 0 memory or not, a fourth security level allowing reading and executing of the page of 
memory or not, and a fifih security level allowing reading, writing and executing of the 
page of memory or not. 



15 . A method of managing a memory according to claim 12, wherein the steps of 
15 entering and exiting the privileged and non-privileged modes of operation of the 
processor coniprise utilising a hardware switch in the processor. 

16. A method ofmanaging a memory according to claim 13, wherein the step of 
writing one of a pluraUty of predetermined security levels in the PMMU con^prises 
20 setting a bit value of a bit m at least one register in the PMMU for each page of iie 
memory for which a security level is to be written. 



17. A method ofmanaging a memory according to claim 15, wherein the step of 
writing one of plurality of predetermmed security levels in the PMMU comprises setting 

25 a bit value of a corresponding bit in each of three registers in the PMMU for each page 
of the memory for which a security level is to be written, the bits in a first register 
indicating whether the corresponding page of the memory can be accessed or not, the 
bits in a second register indicathig whether the corresponding page of the memory can 
be written to or not, and the bits in a third register indicating whether the corresponding 

30 page of the memory can be executed to or not. 



18. A method ofmana^g a memory according to claim 17, wherein the st^ of 
utilising the PMMU to determine the security level comprises: 

utilising the bit in the first register corresponding to the at least one page to be 
35 accessed; and 

only utiHsmg the corresponding bits in the second and third registers if the bit 
value of the bit in the first regist(^ indicates that the page can be accessed. 
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1 9, A portable data carrier substantially as hereinbefore described with reference 
the accompanying drawings. 

20, A method of managing a memory in a portable data canier substantially as 
hereinbefore described with reference to the accompanying drawings. 
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